RSH Kerberos and SSH Remote Access Commands

The remote access commands were designed for smaller networks, such as intranets. They enable you to log in remotely to another account on another system and to copy files from one system to another. You can also obtain information about another system, such as who is currently logged on (see Table 15-3). Many of the remote commands have comparable network communication utilities used for the Internet. For example, rlogin, which remotely logs in to a system, is similar to telnet. The rcp command, which remotely copies files, performs much the same function as ftp.

Remote Command

Effect

rwho

Displays all users logged in to systems in your network.

ruptime

Displays information about each system on your network.

rlogin system-name

Allows you to log in remotely to an account on another system. Kerberos version used by default.

The -l option allows you to specify the login name of the account.

slogin system-name

Secure login to an account on another system.

rcp sys-name:file1 sys-name:file2

Allows you to copy a file from an account on one system to an account on another system. The -p option, preserves the modification times and modes of source files. Kerberos version used by default.

scp sys-name:file1 sys-name:file2

Secure copy of a file from an account on one system to an account on another system.

rsh sys-name Linux-command

Allows you to remotely execute a command on another system. The -l option allows you to specify the login name; -n redirects input from the null special device, /dev/null. Kerberos version used by default.

ssh sys-name Linux-command

Secure remote execution of a command on another system.

Table 15-3 Remote Access Commands

Table 15-3 Remote Access Commands

Due to security risks with the original versions of the remote operations rcp, rlogin, and rsh (RSH package), secure implementations are now installed with Fedora. Secure versions of these commands are provided by Kerberos and the Secure Shell (SSH). The Kerberos versions are configured as the default (/etc/profile.d/krb5-workstation.sh). Whenever you enter a rcp or rsh command, you are actually invoking the Kerberos version of the command. Kerberos provides versions for telnet, rlogin, rcp, rsh, and ftp, which provide authentication and encryption. These versions operate using the same commands and options as the originals, making their use transparent to the user. When Kerberos is installed on your system, Fedora configures the user's PATH variable to access the Kerberos versions of the remote commands, located at /usr/kerberos/bin instead of /usr/bin.

The Secure Shell (SSH) versions use slightly different names, using an initial s in the commands, such as ssh, slogin, or scp (see Chapter 19). SSH commands are encrypted, providing a very high level of security.

Even the original remote commands now include Kerberos support, enabling them to use more secure access configurations like those provided by .k5login (discussed below). Still, these commands could allow easy unencrypted remote access to a Linux system. They should be used only within a local secure network.

Remote Access Information

You can use several commands to obtain information about different systems on your network. You can find out who is logged in, get information about a user on another system, or find out if a system is up and running. For example, the rwho command functions in the same way as the who command. It displays all the users currently logged in to each system in your network.

$ rwho violet robert:tty1 Sept 10 10:34 garnet chris:tty2 Sept 10 09:22

The ruptime command displays information about each system on your network. The information shows how each system has been performing: ruptime shows whether a system is up or down, how long it has been up or down, the number of users on the system, and the average load on the system for the last five, ten, and fifteen minutes.

$ ruptime violet up 11+04:10, 8 users, load 1.20 1.10 1.00 garnet up 11+04:10, 20 users, load 1.50 1.40 1.30

Remote Access Permission: .k5login

The remote commands on Fedora are Kerberos enabled, allowing you to use Kerberos authentication to control access. For ease of use you can use the .k5login file to control access to your account by users using remote commands (.rhosts is not used). Users create this file on their own accounts using a standard editor. The file must be located in the user's home directory.

The .k5login file is a simple way to allow other people access to your account without giving out your password. To deny access to a user, simply delete the system's name and the user's login name from your .k5login file. If a user's login name and system are in an .k5login file, that user can directly access your account without knowing the password (in place of using .k5login, you could use a password). The .k5login file will contain Kerberos names for users, including user names and realms. Such a user will undergo Kerberos authentication to gain access. A .k5login file is required for other remote commands, such as remotely copying files or remotely executing Linux commands.

The type of access .k5login provides enables you to use remote commands to directly access accounts that you might have on other systems. You do not have to log in to them first. In effect, you can treat your accounts on other systems as extensions of the one you are currently logged in to. Using the rcp command, you can copy any files from one directory to another no matter which of your accounts they are on. With the rsh command, you can execute any Linux command you want on any of your other accounts.

rlogin, slogin, rcp, scp, rsh, and ssh

You may have accounts on different systems in your network, or you may be permitted to access someone else's account on another system. You could access an account on another system by first logging in to your own account, and then remotely logging in across your network to the account on the other system. You can perform such a remote login using the rlogin command, which takes as its argument a system name. The command connects you to the other system and begins login procedures. Bear in mind that if you are using an SSH-enabled network connection, you could use slogin instead of rlogin. Either slogin or Kerberos rlogin will provide secure encrypted login access.

You can use the rcp command to copy files to and from remote and local systems. For SSH-enabled network connections, you would use scp instead of rcp. The rcp and scp commands are file transfer tools that operate like the cp command, but across a network connection to a remote system. The rcp command begins with the keyword rcp and has as its arguments the names of the source file and the copy file. To specify the file on the remote system, you need to place the remote system name before the filename, separated from it by a colon. When you are copying a file on the remote system to your own, the source file is a remote file and requires the remote system's name. The copy file is a file on your own system and does not require a system name:

$ rcp remote-system-name:source-file copy-file

In the next example, the user copies the file Wednesday from the remote system violet to her own system and renames the file today:

$ rcp violet:wednesday today

You can also use scp or rcp to copy whole directories to or from a remote system. The scp command with the -r option copies a directory and all its subdirectories from one system to another. Like the cp command, these commands require source and destination directories. The directory on the remote system requires that the system name and colon be placed before the directory name. When you copy a directory from your own system to a remote system, the copy directory is on the remote system and requires the remote system's name. In the next example, the user uses the scp command to copy the directory letters to the directory oldnotes on the remote system violet:

$ scp -r letters violet:oldnotes

NOTE For backups or copying a large number of files you would use rsync, described in Chapter 34.

At times, you may need to execute a single command on a remote system. The rsh command executes a Linux command on another system and displays the results on your own. Your system name and login name must, of course, be in the remote system's .k5login file. For SSH-enabled network connections, you could use ssh instead of rsh. The ssh and rsh commands take two general arguments: a system name and a Linux command. The syntax is as follows:

$ rsh remote-system-name Linux-command

In the next example, the rsh command executes an ls command on the remote system violet to list the files in the /home/robert directory:

$ rsh violet ls /home/robert

Special characters are evaluated by the local system unless quoted. If you quote a special character, it becomes part of the Linux command evaluated on the remote system. Quoting redirection operators enables you to perform redirection operations on the remote system. In the next example, the redirection operator is quoted. It becomes part of the Linux command, including its argument, the filename myfiles. The ls command then generates a list of filenames that is redirected on the remote system to a file called myfiles, also located on the remote system.

The same is true for pipes. The first command (shown next) prints the list of files on the local system's printer. The standard output is piped to your own line printer. In the second command, the list of files is printed on the remote system's printer. The pipe is quoted and evaluated by the remote system, piping the standard output to the printer on the remote system.

$ ssh violet ls /home/robert | lpr $ ssh violet ls /home/robert lpr

NOTE The Kerberos versions of the remote commands also let you specify Kerberos realms and credentials.

Security

Continue reading here: Encryption Integrity Checks and Signatures GNU Privacy Guard

Was this article helpful?

0 0